Atlassian security incidents: 2023 in Review

gitprotectteam

GitProtect Team

Posted on March 21, 2024

Atlassian security incidents: 2023 in Review

Welcome back to our third article in the series of DevOps-related incidents and failures. If you missed our previous review, don’t hesitate and catch up with it.

This time our focus moves to Atlassian-related incidents and “fackups”. As you may remember the year 2022 was rather rich for outages, security flaws, and vulnerabilities detected in Jira and Bitbucket. However, what about 2023? Was it the same hard?

Well, we don’t want you to wait any longer, so let’s get absorbed into the topic…

DECEMBER 2023
Atlassian Status info for Bitbucket: 3 incidents

Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 6 incidents
Atlassian Status info for Confluence:
4 incidents_

Atlassian addresses four critical flows in its software to prevent remote code execution

After detecting four critical flaws, which if successfully exploited, permitted threat actors to execute the code remotely, Atlassian had to take quick security measures and patch the vulnerabilities. All of the flaws got a CVSS score of 9 or higher and targeted different Atlassian tools.

Thus, CVE-2023-22522, a template injection vulnerability found in the Confluence Data Center and Confluence Server, enabled code execution on the Confluence page by an authorized attacker, including the one with anonymous access.

The second patched security flaw, aka CVE-2023-22523 with a CVSS score of 9.8, targeted Assets Discovery for Jira Service Management Cloud, Server, and Data Center. Hence, on machines running the Assets Discovery agent, the vulnerability permitted an attacker to carry out privileged remote code execution. The same result, the malicious actors could achieve with CVE-2023-22524, the CVSS score of which was 9.6. In this case, the hacker could execute the code by using WebSockets to bypass Atlassian Companion’s blocklist and macOS Gatekeeper protections.

The fourth was a deserialization vulnerability that the service provider had to address, the CVE-2022-1471 flaw in SnakeYAML library. It could lead to remote code execution in multiple Atlassian products and therefore, the CVSS score of the security flaw was as high as 9.8.

The Hacker News

NOVEMBER 2023

Atlassian Status info for Bitbucket: 4 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 8 incidents
Atlassian Status info for Confluence: 6 incidents

OCTOBER 2023

Atlassian Status info for Bitbucket: 3 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 8 incidents
Atlassian Status info for Confluence: 5 incidents

Atlassian Releases security advisory for Confluence data center and server

On October 4th, Atlassian released an advisory and urged its Confluence users to upgrade their solution to the latest fixed version as soon as possible, isolating vulnerable Confluence apps from the public Internet. All those measures were to address a vulnerability flaw that was assessed by the service provider to have the highest severity level of 10. By exploiting CVE-2023-22515 an external attacker could create unauthorized Confluence accounts and, consequently, access Confluence instances.

Moreover, in its advisory Atlassian later updated: “We have evidence to suggest that a known nation-state actor is actively exploiting CVE-2023-22515 and continue to work closely with our partners and customers to investigate.” According to Microsoft, in its notice on X, the company informed that the vuln had already been exploited by cybercriminals for a little less than a month – since 14th September 2023. The company called the hackers exploiting the issue Storm-0062, yet they noted that other companies track those threat actors as DarkShadow or OroOIxy.

The U.S. Department of Education and Federal Student Aid also monitored the issue. It concluded that nation-state actors were targeting research institutions by creating unauthorized Confluence administrator accounts and, as a result, could access Confluence instances and exfiltrate data.

The Record. Recorded Future News

SEPTEMBER 2023

Atlassian Status info for Bitbucket: 5 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 11 incidents
Atlassian Status info for Confluence: 8 incidents

Atlassian released security updates to patch 4 high-severity vulnerabilities

Four critical security flaws Atlassian had to address in new versions of its products in September after those bugs had been discovered by the service provider via its Bug Bounty program, pen-testing processes, and third-party library scans.

The first vulnerability, a remote code execution (RCE) bug in Bitbucket, tracked as CVE-2023-22513 with a CVSS score of 8.5 could impact confidentiality, integrity, and availability. As Atlassian explained, an authenticated threat actor could exploit the vulnerability and access data without any user interaction.

The next security flaw, described as a denial-of-service (DoS) issue in Confluence Data Center and Server products, was tracked as CVE-2023-22512. It got a CVSS score of 7.5 and it could be used by the unauthenticated attacker to deny access to resources, ”by temporarily or indefinitely disrupting services of a vulnerable host connected to a network.”

Another security flaw, CVE-2023-28709, was described as a third-party dependency issue. Assessed by Atlassian at a 7.5 CVSS severity level, the threat actor could use the vulnerability to expose assets in the Bamboo user’s environment which was susceptible to exploitation.

The last of the patched four vulnerabilities was detected in Jira. Tracked as CVE-2022-25647 with a CVSS score of 7.5, the security flaw could allow a malicious actor to expose assets and then exploit them in their further deeds if they needed that.

Security Week

AUGUST 2023

Atlassian Status info for Bitbucket: 4 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 15 incidents
Atlassian Status info for Confluence: 9 incidents

JULY 2023

Atlassian Status info for Bitbucket: 9 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 6 incidents
Atlassian Status info for Confluence: 4 incidents

Atlassian patches severe RCE vulnerability affected Confluence Data Center & Server

After discovering high vulnerabilities through bug bounty programs, third-party library scans, and penetration testing, Atlassian released fixed versions to address those flows in Confluence Data Center and Server, and Bamboo Center. Three vulnerability flows – CVE-2023-22505 with a CVSS Score of 8, CVE-2023-22508 with a CVSS Score of 8.5, and CVE-2023-22506 with a CVSS Score of 7.5 – permitted an authenticated attacker to execute arbitrary code unless they are patched. Thus, they could severely impact CIA (confidentiality, integrity, and availability) without any user interaction.

Cyber Security News

JUNE 2023

Atlassian Status info for Bitbucket: 6 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 11 incidents
Atlassian Status info for Confluence: 9 incidents

MAY 2023

_Atlassian Status info for Bitbucket: 5 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 8 incidents
Atlassian Status info for Confluence: 5 incidents_

APRIL 2023

Atlassian Status info for Bitbucket: No incidents reported
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 4 incidents
Atlassian Status info for Confluence: 6 incidents

MARCH 2023

_Atlassian Status info for Bitbucket: 3 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 4 incidents
Atlassian Status info for Confluence: 2 incidents_

FEBRUARY 2023

Atlassian Status info for Bitbucket: 6 incidents
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 8 incidents
Atlassian Status info for Confluence: 1 incident

Atlassian patches critical security vulnerability in Jira

The Australian service provider released multiple patches to address critical security flow, tracked as CVE-2023-22501, detected in Jira Service Management Server and Data Center. The vulnerability got a CVSS score of 9.4, as it could be used by threat actors to impersonate other Jira users and allow them to access the affected instances in two possible scenarios. The first one takes place when a user includes the attacker on Jira issues or requests. The second scenario happens if the JSM user’s emails with the “View Request” link are forwarded to the attacker or he otherwise gains access to that email.

According to Atlassian explanation, “With write access to a User Directory and outgoing email enabled on a Jira Service Management instance, an attacker could gain access to signup tokens sent to users with accounts that have never been logged into.”

After the patches were released, Atlassian urged its Jira customers, who used affected Jira versions – 5.3.0, 5.3.1, 5.4.0, 5.4.1, and 5.5.0, to update their instances to the latest patched version to protect their data from hostile actors.

Infosecurity Magazine

Atlassian leaked data stolen via a third-party app

A hacking group called SiegedSec managed to breach one of Atlassian’s employees and compromised his data within Envoy’s app. Thus, the malicious gang could access staff information, including names, emails, departments, and Atlassian office floor plans located in San Francisco, USA, and Sydney, Australia.

The nasty incident became infamous when a malicious group posted a cache of that employee’s data. According to the Envoy’s spokesperson, both companies’ security teams collaborated to “identify the source of the data compromise”. Hopefully, no critical data has been revealed.

Dark Reading

JANUARY 2023

Atlassian Status info for Bitbucket: No incidents reported
Atlassian Status info for Jira Software, JSM, JWM, and Jira Product Discovery: 2 incidents
Atlassian Status info for Confluence: 3 incidents

How to secure your data?

Vulnerabilities and security flows were the main threats that Atlassian users faced in 2023. Moreover, if you go through Atlassian Status, you will notice that some small outages took place, as well. For example, the Bitbucket Cloud operations outage in November, or the media outage that affected multiple Atlassian services in August. We have even dived deeper and counted how many incidents Bitbucket, Jira, and Confluence faced this year. Here is the result:

Bitbucket: 48 incidents
Jira Software, Jira Service Management, Jira Workmanagement, Jira Product Discovery (all together): 91 incidents
Confluence: 62 incidents

Unfortunately, outages and vulnerabilities can’t be avoided. However, you can act proactively and protect your data. Keeping passwords, credentials, and authentication tokens in secure places, enabling 2FA, secret scanning, and using professional backup tools are among those Atlassian security best practices, that can help to avoid disruptions, eliminate data loss, and guarantee business continuity.

Useful resources:
Jira backup best practices
Bitbucket backup best practices
Jira security best practices
Atlassian Shared Responsibility Model
Top 2023 Resources for the DevOps career roadmap

✍️ Subscribe to GitProtect DevSecOps X-Ray Newsletter – your guide to the latest DevOps & security insights

🚀 Ensure compliant DevOps backup and recovery with a 14-day free trial

📅 Let’s discuss your needs and see a live product tour

💖 💪 🙅 🚩
gitprotectteam
GitProtect Team

Posted on March 21, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related